Using the IPSec Architecture for Secure Multicast Communication (Extended Abstract) Thorsten Aurisch Christoph Karg1 Forschungsgesellschaft fur¨ Angewandte Naturwissenschaften e.V. (FGAN) Forschungsinstitut fur¨ Kommunikation, Informationsverarbeitung und Ergonomie (FKIE) Abteilung Kommunikation (KOM) Neuenahrer Straße 20 D-53345 Wachtberg-Werthhoven Germany Telephone: (+49) 228/9435–479 and (+49) 228/9435–513 Telefax: (+49) 228/9435–685 EMail: [email protected] and [email protected] Topic: Network-centric Applications Keywords: IP Security, IPv6, Multicast 1Corresponding Author Using IPSec for Secure Multicast Communications2 Thorsten Aurisch Christoph Karg Forschungsgesellschaft fur¨ Angewandte Naturwissenschaften e.V. (FGAN) Forschungsinstitut fur¨ Kommunikation, Informationsverarbeitung und Ergonomie (FKIE) Abteilung Kommunikation (KOM) Neuenahrer Straße 20 D-53345 Wachtberg-Werthhoven Germany Telephone: (+49) 228/9435–479 and (+49) 228/9435–513 Telefax: (+49) 228/9435–685 EMail: [email protected] and [email protected] Abstract A key component of the IP Security architecture is the Internet Key Exchange Daemon (IKE). IKE is invoked to establish keys and security related parameters between hosts in order to pro- tected the exchanged application data with them. The IKE concept can not be used for secur- ing group communication based on IP multicast services since it is only addressed to pairwise security. For negotiation and controlled distribution of group security data and membership management the Multicast Internet Key Exchange (MIKE) is introduced. The appropriate dae- mon will be developed for to the use in military environment. This implies for the MIKE protocols that they are insensitive against packet loss and fulfill special military conditions, e.g. the emission control mode (EMCON) of a user. This paper discusses the architecture and design for MIKE daemon which executes the management functions described above. 1. Introduction A major task of a distributed Command, Control, and Communication Information System (C3IS) is the collection and transmission of information between the spatially separated parts of the sys- tem. For this purpose, usually a TCP/IP-based network is set up. Primary, TCP/IP was designed for unicast transmissions. This kind of transmission works well for peer-to-peer connections where an originator sends his data to exactly one receiver. The unicast model is suitable for an vast variety of internet applications. However, it has weaknesses in the case of data transfer from one sender to a group of receivers. As a matter of principle, such a type of communication is realizable via unicast by sending a copy of the datagram to each receiver. The cost of this method (in terms of bandwidth usage) is proportional in the number of receivers. Hence its applicability is restricted, 2Accepted paper of 8th International Command and Control Research and Technology Symposium 2003 (see http://www.dodccrp.org). 1 especially in military networks where the available bandwidth is small and for this reason a valu- able resource. A more bandwidth sparing mechanism is the concept of multicast communication. Multicast allows the transmission of a datagram from one sender to a group of receivers by only one send operation. The bandwidth usage of that operation is optimal since the datagram is only duplicated if necessary. Multicast requires an advanced routing environment which is capable to deal with this additional demand. A mandatory requirement for military communication is the security of the data traffic. Especially the security services authentication, integrity, and confidentiality are demanded for the transmitted data. In terms of C3IS, a convenient way to establish this requirement is the setup of a virtual private network (VPN), where all components of the information system are connected by secure channels. The necessary mechanisms are provided by the Internet Protocol Security (IPSec) proto- col suite [11]. Two protocols are used to provide a secure data traffic. The Authentication Header (AH) [9] provides data origin authentication, connectionless integrity and anti-replay service for IP packets. The Encapsulating Security Payload (ESP) [10] can be used for encryption, integrity and/or authentication of the payload of IP packets. IPSec is designed to handle any kind of IP traffic. Hence, it is in particular applicable to multicast traffic. However, the security mechanisms included in the IPSec standard so far are not suitable for group communication. The reason is that the requirements for multicast security are different from those for pairwise security. In particular, the usage of a message authentication code (MAC) for data origin authentication is impossible for multicast groups of three or more members. Since all members share the same symmetric authentication key, a MAC cannot be attached uniquely to a group member. Hence, a member can impersonate another by using the same MAC. A promis- ing approach to this problem is the extension of the ESP header to support group secrecy, group authentication, and source authentication [1]. Another problem to solve is the configuration of the concerning hosts, this is, the setup of the crypto algorithms to use and the generation and exchange of the necessary keys. In the case of unicast, an automated configuration procedure is already available. Via the Internet Key Exchange (IKE) [8], two machines set up a secure channel by negotiating security associations (SAs). Such an SA contains all IPSec parameters which are necessary to secure the data flow from one host to another. The session keys as part of the SA are generated randomly using the Diffie Hellman key exchange [7]. An automated setup procedure for secure multicast traffic must be more sophisticated. The reason is the fact that the group members may change during the secure communication. This involves an adaptive reconfiguration of IPSec settings. More precisely, if a new member joins the group then he needs to know the IPSec settings to participate in the multicast communication. For security reasons, the session keys have to be changed to prevent the new member from reading data sent before his join. If a member leaves the group, then a key renewal is also necessary since the leaving host shall not be able to take part in the future data transfer. In our paper, we present the concept of a multicast internet key exchange daemon (MIKED). The task of this piece of software is to set up the parameters for a secure multicast communication under usage of the IPSec protocol suite. Following the unicast case, these parameters are accumulated in a multicast security association (MSA). Since we focus on Internet Protocol Version 6 (IPv6) [6], we choose USAGI Linux [18] as development platform since this operating system contains 2 an IPv6 capable IPSec module. Furthermore, its sources are open and may be modified for our purposes if necessary. The paper is organized as follows. In section 2, we give a brief description of technologies our work is based on. The scenario in which the MIKED shall work is presented in section 3. Section 4 is concerned to the multicast internet key exchange daemon and its classification in the IPSec framework. Furthermore, our design goals are illustrated. Finally, in section 5 the architecture of the daemon is presented. 2. Preliminaries 2.1 The Multicast ESP Framework The research on multicast IPSec is an ongoing topic at the IETF. Currently, there exists no standard in terms of a request for comments (RFC) which solves the problem. A promising proposal is the Multicast ESP (MESP) framework [1]. It uses the ESP protocol to provide group secrecy, group authentication and source authentication of multicast packets. Group secrecy is applied by usage of the ESP confidentiality. For access of the data, the group members must possess a shared symmetric key. The group authentication functionality enables the group members to verify whether an ESP payload was originated within the multicast group. Group authentication is applied by usage of a symmetric MAC, whose key is shared among the group members. Using source authentication, a group member can verify the origin of the data and its integrity. This type of authentication requires stronger cryptographic techniques as group authentication. Suitable are digital signatures (for example RSA-SHA1) or timed MACs (for example TESLA [14]). 2.2 Key Exchange Protocols The group keys are the main components of an MSA. Hence, their negotiation is an important task of the MIKE framework. In principle, there exist two different kind of key exchange protocols depending on how the group key is generated. • Key agreement protocols: The characteristic of this type of protocol is the participation of each group member in the construction of the group key. These protocols are usually generalizations of the Diffie-Hellman key exchange. Examples of key agreement protocols are given in [2, 16]. Key agreement protocols are used if all group members have equal rights and none of them wants to receive a precomputed group key from the other. The cost for this kind of influence on the key generation is large amount of bandwidth usage. The number of messages sent to establish the group key is of quadratic order in the size of the multicast group. Furthermore, an appropriate key size is necessary to guarantee the cryptographic safety of the protocol. Hence, key agreement protocols are only applicable for multicast groups of small size. • Key distribution protocols: An efficient way to manage multicast groups with a large size of members is the usage of a key distribution protocol. In this case the generation and distribution of the group key is taken over by a key server. Therefore, the group members have no influence on the group key. An example of a this type of key exchange is the tree- oriented distribution scheme [19]. 3 Receiver[1;1] Receiver[1;m1] Sender[1] Receiver[n;1] Receiver[2;1] Sender[n] Sender[2] Receiver[2;m2] Receiver[n;mn] Key Agreement Key Distribution Figure 1: The scenario for our multicast communication.